diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index 7c8932ba08..6ef8346f59 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -16,6 +16,10 @@ package main import ( "bytes" "flag" + "os" + "path/filepath" + "strings" + tektonapi "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -23,10 +27,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/cli-runtime/pkg/printers" klog "k8s.io/klog/v2" - "os" - "path/filepath" "sigs.k8s.io/controller-runtime/pkg/log/zap" - "strings" ) func main() { @@ -127,6 +128,10 @@ fi ` env := "$PODMAN_PORT_FORWARD \\\n" + + // disable podman subscription-manager integration + env += " --tmpfs /run/secrets \\\n" + // Before the build we sync the contents of the workspace to the remote host for _, workspace := range task.Spec.Workspaces { ret += "\nrsync -ra $(workspaces." + workspace.Name + ".path)/ \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\"" diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 6cb12c142b..6e96867d20 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -8,6 +8,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b ## Parameters |name|description|default value|required| |---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| |ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index e63c334f0a..5320a52d3c 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -16,6 +16,10 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - name: ACTIVATION_KEY + description: Name of secret which contains subscription activation key + type: string + default: activation-key - name: ADDITIONAL_SECRET description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -140,6 +144,10 @@ spec: description: The counting of Java components by publisher in JSON format type: string volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true @@ -163,6 +171,8 @@ spec: emptyDir: {} stepTemplate: env: + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -221,6 +231,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -353,6 +365,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 6fce7565a2..559702b308 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -16,6 +16,10 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - default: activation-key + description: Name of secret which contains subscription activation key + name: ACTIVATION_KEY + type: string - default: does-not-exist description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -143,6 +147,8 @@ spec: stepTemplate: computeResources: {} env: + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -238,6 +244,7 @@ spec: rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" @@ -370,6 +377,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -413,6 +427,8 @@ spec: chmod +x scripts/script-build.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -435,6 +451,7 @@ spec: -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ @@ -459,6 +476,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -636,6 +655,10 @@ spec: name: upload-sbom workingDir: /var/workdir volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 0525273b36..bb8a4e5a15 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -78,6 +78,10 @@ spec: description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET type: string + - default: activation-key + description: Name of secret which contains subscription activation key + name: ACTIVATION_KEY + type: string - default: does-not-exist description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -166,6 +170,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -226,6 +232,7 @@ spec: rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" @@ -362,6 +369,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -405,6 +419,7 @@ spec: chmod +x scripts/script-build.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e HERMETIC="$HERMETIC" \ @@ -419,6 +434,7 @@ spec: -e TARGET_STAGE="$TARGET_STAGE" \ -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ @@ -428,6 +444,7 @@ spec: -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ @@ -452,6 +469,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -641,6 +660,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 04e493dd3f..dec1ad4b44 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -71,6 +71,10 @@ spec: description: Name of secret which contains the entitlement certificates type: string default: "etc-pki-entitlement" + - name: ACTIVATION_KEY + default: activation-key + description: Name of secret which contains subscription activation key + type: string - name: ADDITIONAL_SECRET description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET type: string @@ -153,6 +157,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -306,6 +312,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -353,6 +366,8 @@ spec: name: varlibcontainers - mountPath: "/entitlement" name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: "/additional-secret" name: additional-secret - name: trusted-ca @@ -543,6 +558,10 @@ spec: secret: secretName: $(params.ENTITLEMENT_SECRET) optional: true + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: secretName: $(params.ADDITIONAL_SECRET)